Secondary mobile menu

Threat actor goes on a Chrome extension hijacking spree

August 14, 2017

Kafeine

Overview

Chrome Extensions are a powerful means of adding functionality to the Chrome browser with features ranging from easier posting of content on social media to integrated developer tools. At the end of July and beginning of August, several Chrome Extensions were compromised after their author’s Google Account credentials were stolen via a phishing scheme. This resulted in hijacking of traffic and exposing users to potentially malicious popups and credential theft.

We specifically examined the “Web Developer 0.4.9” extension compromise, but found evidence that “Chrometana 1.1.3”, “Infinity New Tab 3.12.3” [8][10] , “CopyFish 2.8.5” [9], “Web Paint 1.2.1” [11], and “Social Fixer 20.1.1” [12] were modified using the same modus operandi by the same actor. We believe that the Chrome Extensions TouchVPN and Betternet VPN were also compromised in the same way at the end of June.

Analysis

On August 12 Chris Pederick reported [1] that his Extension, Web Developer for Chrome, had been compromised (Figure 1).

Figure 1: Chris Pederick’s tweet from August 2, 2017 regarding the compromise of his Web Developer for Chrome Extension

We retrieved the compromised version and isolated the injected code.

Figure 2: Web Developer 0.4.9 Chrome Extension published by a bad actor after the legitimate extension was compromised

Figure 3: Snippet of the inserted code in content.js from the compromised version of Web Developer 0.4.9

In general terms, the compromised extension first checks to ensure that the Chrome Extension has been installed for 10 minutes using the following line of code:

if ((Date.now() - installed) > 10 * 60 * 1000)

Before proceeding with the rest of the extension code, compromised components of the extension retrieve a remote file, ga.js, over HTTPS from a server whose domain is generated via a domain generation algorithm (DGA):

In many cases, victims were presented with fake JavaScript alerts prompting them to “repair” their PC then redirecting them to affiliate programs from which the threat actors could profit. Figure 12 shows a malvertising chain that brings users from the fake alert to an affiliate site; we observed the compromised extension directing victims to two such affiliates, although others may also have been used.

Figure 12: Chain to affiliate program from a fake JavaScript alert

The code generating the fake alert page is shown in Figure 13:

Figure 13: Code generating the fake JavaScript alert

Figure 14: One of the affiliate programs receiving the hijacked traffic

Figure 15: Another affiliate program receiving the hijacked traffic.

The popup alerts were also reported in May with the “Infinity New Tab” compromise. The involved code in that compromised extension [5] is almost identical, but the DGA was slightly different:

The same malicious activity was also reported in some fake EU Cookie-Consent alerts [6] (Figure 16). The server involved in those cases, browser-updates[.]info, is the same as the one used in the “Infinity New Tab” case and most likely is an old front for the same backend as redirect2[.]top and loading[.]website. While those details are outside the scope of this blog, it is worth noting that examining these activities allows us to trace them back to @BartBlaze’s post from July 2016 [7]:

Figure 16: One of the servers currently used by this group to publish a trapped cookie-consent JavaScript script

Figures 17-19 show that this activity is able to generate substantial traffic:

Figure 17: Alexa report on browser-update[.]info

Figure 18: Similarweb report on searchtab[.]win

Figure 19: Alexa report on partner-net[.]men

The Phishing

Our colleagues at Phishme have already examined the credential phishing that originally allowed the actors to compromise the extensions [3]; the Web Developer extension case was almost identical:

Figure 20: Screenshot of the email used to harvest extension coder credentials

Conclusion

Threat actors continue to look for new ways to drive traffic to affiliate programs [13] and effectively surface malicious advertisements to users. In the cases described here, they are leveraging compromised Chrome extensions to hijack traffic and substitute advertisements on victims’ browsers. Once they obtain developer credentials through emailed phishing campaigns, they can publish malicious versions of legitimate extensions. In addition to hijacking traffic and driving users to questionable affiliate programs, we have also observed them gathering and exfiltrating Cloudflare credentials, providing the actors with new means of potential future attacks.

Acknowledgements

We would like to thank Cloudflare for their immediate action upon notification of malicious activity using their hosting service.

We would also like to thank Chris Pederick (author of the Web Developer extension) for sharing data tied to the phishing and how he and the CopyFish author transparently handled the incidents.